* debian/patches:

[sojka/debian/lightdm.git] / debian / patches / 02_fix-apparmor-profile.patch

diff --git a/debian/patches/02_fix-apparmor-profile.patch b/debian/patches/02_fix-apparmor-profile.patch
index b693661b487b8388ca5a21837215b358d31b4f57..8223f8c734f35d8fed6e9ae1fa3ee05925f38d03 100644 (file)
--- a/debian/patches/02_fix-apparmor-profile.patch
+++ b/debian/patches/02_fix-apparmor-profile.patch
@@ -8,3 +8,37 @@
    #include <abstractions/nameservice>
    #include <abstractions/wutmp>
    /etc/compizconfig/config rw, # bug in compiz https://launchpad.net/bugs/697678
+@@ -74,10 +73,11 @@
+   capability ipc_lock,
+ 
+   # allow processes in the guest session to signal and ptrace each other
+-  signal peer=@{profile_name},
+-  ptrace peer=@{profile_name},
+-  # needed when logging out of the guest session
+-  signal (receive) peer=unconfined,
++  # this doesn't work with the current Debian apparmor
++  #signal peer=@{profile_name},
++  #ptrace peer=@{profile_name},
++  ## needed when logging out of the guest session
++  #signal (receive) peer=unconfined,
+ 
+   # silence warnings for stuff that we really don't want to grant
+   deny capability dac_override,
+--- a/data/apparmor/abstractions/lightdm_chromium-browser
++++ b/data/apparmor/abstractions/lightdm_chromium-browser
+@@ -8,6 +8,7 @@
+ # provided in abstractions/lightdm, this abstraction must be separate from
+ # abstractions/lightdm.
+ 
++  /usr/lib/chromium/chromium Cx -> chromium,
+   /usr/lib/chromium-browser/chromium-browser Cx -> chromium,
+   /usr/bin/webapp-container Cx -> chromium,
+   /usr/bin/webbrowser-app Cx -> chromium,
+@@ -53,6 +54,7 @@
+ 
+     /selinux/ r,
+ 
++    /usr/lib/chromium/chrome-sandbox ix,
+     /usr/lib/chromium-browser/chromium-browser-sandbox ix,
+     /usr/lib/@{multiarch}/oxide-qt/chrome-sandbox ix,
+     /opt/google/chrome-*/chrome-sandbox ix,